Kassem Bazzoun

Published On: 18 Dec 2021

Prevent any Page from connecting WhatsApp number by causing a rate limit blockage

Rate Limits
Facebook | Web
---
LOW VALID
Description

There's an option in Facebook pages that allow admins to connect their WhatsApp number to the page, a verification code is needed to add that number. There's another endpoint that allows the admin to receive the "Whatsapp Business" link on a phone number that request takes 2 params, a page id and the phone number, changing the page id to the victim page id and then repeat sending the request will cause a rate limit blockage for that page id from adding its Whatsapp number .

Impact

A malicious user is able to perform a suspicious action on behalf of any page which lead to block the page for few hours from adding their WhatsApp number




Reproduction Steps

Step
1

UserAttacker will put the id of "PageVictim" in page_id param

{"whatsapp_number":"+961123123","page_id":"victim_page_id"}

doc_id : 4251567814863859


Where page_id contains the id of the victim page ( the page we want to block them from adding their Whatsapp Number).

(Note: whatsapp_number param is the number we wants to receive the Whatsapp Business link on our number , it has no effect but a message from Facebook will send to that number)

Step
2

UserAttacker will abuse this feature by repeat sending the request until the response of param "send_whatsapp_business_download_link" will change from "true" to "false".

Send the request for first time :
{
"data": {
"send_whatsapp_business_download_link": true
},
"extensions": {
"is_final": false
}
}

After sending the request multiple times "false" is returned which mean Facebook blocked the user from sending the request.

{
"data": {
"send_whatsapp_business_download_link": false
},
"extensions": {
"is_final": true
}
}

Step
3

UserVictim wants to add his WhatsApp number , so he will go the the page "Settings" -> "WhatsApp" (Left menu side)

you can browse the Whatsapp Settings directly through this link .

https://www.facebook.com/page_id/settings/?tab=whatsapp_management

 

 

Step
4

UserVictim will be prompted to add his WhatsApp Number , when he try to add his number a message is appeared

"The number of retries was exceeded. Please wait a few minutes and then try again."

Step
5

UserAttacker is able to repeat this attack with random WhatsApp number and the page will be blocked everytime .

Discussion

A malicious user is able to repeat same steps to re-block the page from connecting their WhatsApp Number , if the block will be for few hours, the malicious user and using another phone number ( changing whatsapp_number param) to any random number will cause again the page for being blocked , even the malicious user has no role in that page ,and the victim has no knowledge about what happens .

Fix

Facebook should prevent the malicious user from changing the page id PARAM to another page id , and the block should be on the user who abuse the feature instead of making the whole page blocked . When user change the page id to another page id the response should be : You don't have permission to perform this action

Timeline
.
Kassem 23 Oct 2021

Report Sent

.
Facebook 23 Oct 2021

Triaged Thank you for reporting this information to us. We are sending it to the appropriate product team for further investigation. We will keep you upd ... See More

.
Facebook 02 Nov 2021

Bug Fixed We have looked into this issue and believe that the vulnerability has been patched. If you believe that the patch does not resolve this issue, pl ... See More

.
Facebook 02 Nov 2021

Bounty Awarded

VALID